Method for monitoring stored procedures

ABSTRACT

A method for monitoring stored procedures is disclosed. The method performs on-line and inline monitoring of stored procedures for detecting table access operations performed by the procedures. This allows the enforcing of access control policies, correlation rules and audit rules on stored procedures. The monitoring is performed using mapping information gathered about each stored procedure that can be executed by a database server. The method comprises parsing an incoming transaction submitted by a client; determining whether the incoming transaction includes an invocation of a stored procedure; obtaining a query group corresponding to the stored procedure; applying an access control policy on the query group; and asserting an unauthorized event if the query group is not compliant with the access control policy.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority from a U.S. provisional application60/844,096 filed on Sep. 13, 2006.

TECHNICAL FIELD

The disclosed teachings relate generally to monitoring a databasesystem, and more particularly to controlling access to database tables.

BACKGROUND

The following U.S. patents and publications provide useful backgroundinformation, for which they are incorporated herein by reference intheir entirety.

7,085,780 August 2006 Sakamoto, et al. 7,082,455 July 2006 Hu, et al.6,769,074 July 2004 Vaitzblit 6,507,834 January 2003 Kabra, et al.20060136493 June 2006 Muralidharan, et al. 20040162822 August 2004Papanyan, et al. 20040162825 August 2004 Bhaghavan, et al.

A stored procedure is a named group of SQL statements previously createdand stored in a database server. Stored procedures accept inputparameters so that a single procedure can be used over the network byseveral clients using different input data. Stored procedures reducenetwork traffic and improve performance. Additionally, stored procedurescan be used to ensure the integrity of transactions. For example, thefollowing stored procedure allows a user to get the inventory levels fora given warehouse:

CREATE PROCEDURE sp_GetInventory @location varchar(10) AS SELECTProduct, Quantity FROM Inventory WHERE Warehouse=@location.

The stored procedure named “sp_GetInventory” includes the SQL statement:

“SELECT Product, Quantity FROM Inventory WHERE Warehouse=@location”

where the location is an input parameter. The database table accessed bythis procedure is “Inventory” and the operation performed on this tableis “SELECT”. A user can retrieve inventory levels by providing thedesired warehouse's location as an input to the procedure and issuing acommand:

EXECUTE sp_GetInventory ‘New-York’

For security of data and transaction integrity purposes it is desirableto monitor access to underlying tables in stored procedures and enforceaccess control on such tables. Related art techniques for monitoringtables that are accessed through stored procedures are based on adatabase internal audit trail mechanism. This introduces a majordrawback as an attacker may take over the entire database or simply turnoff the audit mechanism, and thus removing any traces of his activity.Another drawback is that such techniques generate many redundant recordsand events that need to be processed. For example, a stored proceduremay include tens of operations to various tables. A single invocation ofthe stored procedure creates many access records that must be processed.As a result, the overall performance of a database system is reduced.Another drawback of related art techniques is the miscorrelation betweenprocedure invocation and table access operations, i.e., a user (e.g., asystem administrator) cannot correlate a suspicious access to a table tothe invocation of a stored procedure. Thus, the user cannot detect thecause for an illegal access and take corrective actions. In addition,the audit based monitoring techniques cannot distinguish between anaccess made through a stored procedure, considered as an authorizedaccess, and direct access to a table (e.g., by submitting a SQLstatement) which is an unauthorized access.

In view of the shortcomings of related art techniques it would beadvantageous to provide an efficient, effective and secure solution formonitoring stored procedures.

SUMMARY

To realize some of the advantages described above there is provided amethod for monitoring activity and detecting unauthorized access todatabase tables through stored procedures, comprising parsing anincoming transaction submitted by a client. The method further comprisesdetermining whether the incoming transaction includes an invocation of astored procedure; obtaining a query group corresponding to the storedprocedure; applying an access control policy on the query group; andasserting an unauthorized event if the query group is not compliant withthe access control policy.

More specifically, upon asserting the unauthorized event, thetransaction is blocked.

Even more specifically, the detection of an unauthorized access isperformed inline and online by a secure gateway installed between theclient and a database server.

In a specific implementation, the query group includes at least one pairof a table and an operation performed on the table.

In another specific implementation, the query group includes at leastone privileged operation executed by the stored procedure.

In an enhanced implementation, the method further comprisesdistinguishing between transactions in which a table is directlyaccessed by the client and transactions in which a table is indirectlyaccessed using the stored procedure to access the table.

More specifically applying the access control policy on the query groupfurther comprises applying on the query group at least one ofcorrelation rules and audit rules associated with the client.

Even more specifically, the stored procedure may include at least oneof: a user defined function, a database trigger, a database view.

Computer program products including a computer readable medium havingsoftware instructions to enable a computer to implement the abovetechniques are also within the scope of the disclosed teachings.

Another aspect of the disclosed teachings is a method for generating aquery group for a stored procedure. The method comprises extracting froma data dictionary a list of tables having dependencies on the storedprocedure; determining according to tables names if the tables exist ina source code of the stored procedure; for each table that exists in thesource code extracting an operation code associated with the table; andsaving the operation code in a query group of the respective storedprocedure.

BRIEF DESCRIPTION OF THE DRAWINGS

The above objectives and advantages of the disclosed teachings willbecome more apparent by describing in detail preferred implementationsthereof with reference to the attached drawings in which:

FIG. 1—is a block diagram of a secure database system used to describeaspects of the disclosed teachings;

FIG. 2—is a schematic representation a data structure used to maintainmapping information; and

FIG. 3—is a flowchart describing a method for detecting unauthorizedaccess to database tables made through stored procedures in accordancewith an exemplary implementation of the disclosed teachings.

DETAILED DESCRIPTION

To overcome the shortcomings of related art techniques a method formonitoring stored procedures is disclosed. The method performs on-lineand inline monitoring of stored procedures for detecting table accessoperations performed by the procedures. This allows the enforcing ofaccess control policies, correlation rules and audit rules on storedprocedures. The monitoring is performed using mapping informationgathered about each stored procedure that can be executed by a databaseserver.

FIG. 1 shows an exemplary and non-limiting block diagram of a securedatabase system 100 used to demonstrate the principles of the disclosedteachings. System 100 includes a plurality of clients 110-1 through110-N, a secure gateway 120, a secure server 130, a database (DB) server140, and a database 150. The secure gateway 120 and secure server 130are enabled by the disclosed teachings. A client 110 submits atransaction to be executed by DB server 140 through a network 160, suchas a local area network (LAN) or a wide area network (WAN). DB server140 may be any computational node including a mechanism for servicingrequests from a client 110 for computational or data storage resources.For example, DB server 140 may be one of Oracle Database Server,Microsoft SQL server, DB2, Sybase, and the likes. Database 150 mayinclude any type of non-volatile storage and is directly coupled to DBserver 140.

Secure gateway 120 is placed on a network segment between clients 110and DB server 140. Secure gateway 120 collects and analyzes traffic(transactions) sent from clients 110 to DB server 140. This is performedto allow on-line and inline (as traffic flows from clients 110 to DBserver 140) monitoring of stored procedures as well as table accessoperations performed by the procedures, and enforcing access control onthe procedures. Specifically, gateway 120 is designed to identify, usingmapping information generated by secure server 130, stored procedures intransactions flow from clients 110 to DB server 140 and distinguishbetween direct access to tables and access through stored procedures.

FIG. 2 shows a schematic representation of a data structure 200 used tomaintain the mapping information. Each stored procedure object 210 has aquery group data structure 220 including a list of (table, operation)pairs 230. Each pair 230 consists of a table and an operation performedon that table. As an example, for the stored procedure “sp_GetInventory”shown above, the query group includes the pair (Inventory, SELECT). Themapping information may include query groups of stored procedures thatinvoked other stored procedures. This provides information about tableaccess indirectly performed by stored procedures through other storedprocedures. As shown in FIG. 2, the information is hierarchicallyorganized indicating that stored procedure 210-2 is called by procedure210-1 and a query group 220-2 belongs to stored procedure 210-2. Theprocess for compiling the mapping information will be described indetail below. It should be noted that other exemplary implementationsfor representing the mapping information will be apparent to a personskilled in the art.

Secure gateway 120 applies a predefined access control policy on thequery groups. An access control policy defines for each client 110 itsrespective allowed access to the database tables and how it may be done.If a query group extracted from a client's request is not compliant withthe access control policy, secure gateway 120 may block the transaction.A query group may also be checked against correlation rules or auditrules. Secure gateway 120 may also block unauthorized operationsresulting from direct access to database 150. The ability to distinguishbetween transactions in which a table is directly accessed by a clientand transactions in which a table is indirectly accessed using a storedprocedure to access the table provides an advantage over related artsolutions and ensures both security of data and transaction integrity.

FIG. 3 shows an exemplary and non-limiting flowchart 300 describing themethod for detecting an unauthorized access to database tables throughstored procedures in accordance with an exemplary implementation of thedisclosed teachings. At S310, a transaction from a client 110 isreceived at secure gateway 120. The transaction may be, but is notlimited to in one of the following forms:

a) a text SQL query, e.g., SELECT Product FROM Inventory

b) a SQL query that invokes a stored procedure, e.g., SELECT sp1(Product) FROM Inventory, (sp1 is the procedure's name); or

c) a command that invokes a stored procedure, e.g., EXECUTEsp_GetInventory

At S320, the transaction is parsed to find a call to a stored procedure.At S330, a check is made to determine if such a call is detected, and ifso, execution continues with S340; otherwise, at S350 the transaction(including a text SQL query) is forwarded to DB server 140.

At S340 another check is made to determine if the detected procedure isa known procedure, i.e., if secure server 130 generated a query groupfor this procedure. Unknown stored procedures are sent, at S360, tosecure server 130 for learning purposes. At S370, respective querygroups of “known procedures” are retrieved using their procedure names.Secure gateway 120 holds a query group for each stored procedure thatmay be executed by DB server 140. At S375 a query group of a SQL querythat invokes a stored procedure (e.g., SELECT sp1 (Product) FROMInventory) is generated by retrieving the respective query group of theinvoked procedure (e.g., sp1) and adding pairs of tables and operationsdirectly performed by the SQL query, e.g., (Inventory, SELECT). Thequery group of the stored procedure is invoked using vendor specificprocedures. For example, with Oracle database a combination of automaticcode inspection and data dictionary information are used for thispurpose. With MS SQL, Sybase and DB2 the execution plan information isutilized. The generated query group is marked to distinguish betweentables that are directly accessed by the SQL query and tables accessedimplicitly through a stored procedure. For example, a stored procedurenamed “validate_user” with a parameter “paraml” that contains thestatement “SELECT id FROM users where user_id=paraml” is identified. Thequery group of this stored procedure is (users, SELECT). If a queryinspected on the network that invokes a stored procedure such as“execute validate_user(‘my-name’)” then the query group (users, SELECT)is implicit as it does not explicitly appear in the query, but ratherimplied by the use of the stored procedure. At S380, the query group ischecked against one or more access control policies, correlation rules,and audit rules associated with the client that submitted thetransaction. For example, these checks may include, but are not limitedto checking if the user is authorized to directly access the tables, ifthe combination of the tables and operations in the query group arepermitted by the access control policy, and so on. At S385, it isdetermined if one of the checks does not pass, and if so executioncontinues with S390 where an event is asserted indicating anunauthorized access and consequently secure gateway 120 may block thetransaction from being executed by DB server 140. Otherwise, at S395, anevent is generated authorizing the transaction.

An exemplary implementation according to the disclosed teachingsautomatically generates a query group for each stored procedure definedin DB server 140 and regardless of the type of the DB server. Inaccordance with an exemplary implementation, secure server 130 detectsthe accessed tables and operations performed on these tables using anexecution plan (or an Explain Plan). An execution plan is a report thatdepicts how DB server 140 plans to execute a given SQL query or a storedprocedure and how to retrieve requested data. Generally, the plancontains information about the objects involved in the execution ofprocedures, operations to be performed on each of the objects, the orderof operations, and information about performance time and CPUutilization. To this end, secure server 130 sets a connection with DBserver 140 to run the execution plan on all stored procedures in DBserver 140. Thereafter, secure server 130 analyzes the report generatedby the execution plan to build query groups. That is, for each storedprocedure, each operation and table access are extracted from the reportand saved as a pair (table, operation) in a query group. Thisimplementation is mainly designed for databases that support executionplans for stored procedures, e.g., DB2, Microsoft SQL server, andSybase.

In accordance with another exemplary implementation of the disclosedteachings, secure server 130 produces query groups by analyzing thesource code of procedures stored in DB server 140 and correlating thecode with information from the data dictionary of the database.Specifically, secure server 130 extracts from the data dictionary a listof dependencies for the stored procedure (i.e., list of tables on whichthe stored procedure depends for its correct functioning) and thensearches for these table names in the source code. Once a table isdetected in the source code, secure server 130 extracts the operationassociated with that specific table in the code. This information issaved in a query group of the respective procedure. This exemplaryimplementation is mainly designed for databases that do not supportexecution plans for stored procedures, such as Oracle. It should benoted that in both implementations, query groups can be created tosupport recursive stored procedures (i.e., stored procedures that invokeother stored procedures).

Secure server 130 frequently updates all query groups that it maintains.For this purpose, secure server 130 periodically monitors DB server 140to determine if any stored procedures were added. If a new procedure isfound, secure server 130 analyses the procedure and builds its querygroup by extracting tables and table operations from the storedprocedure source code for creating the procedure (example, for such codeis provided above). Secure server 130 further analyses unknownprocedures, reported by secure gateway 120, and generates query groupsfor these procedures. In addition, secure gateway 120 may detect acommand for creating a stored procedure (e.g., CREATE PROCEDUREsp_GetInventory) and provide secure server 130 with the creation code ofthe procedure. Secure server 130, at its turn, may generate the querygroup from this code.

It will be appreciated by a person skilled in the art that although inthe above-described exemplary implementations, secure gateway 120monitors access to database tables through stored procedures, gateway120 may also monitor access made through user defined functions,database views, database triggers, and any other executable codeexecuted by DB server 140 for accessing database tables. In addition,secure gateway 120 may handle all privileged operation (i.e., anoperation that affects the structure of the database) performed bystored procedures (e.g., create table, create user, and so on) as wellas dynamic SQL statements (e.g., execute immediate, sp_execsql, and soon). It would be further understood that the specific systemimplementation is provided as a mere example and other implementationsemploying the principles of the disclosed teachings may be created, andare specifically included herein.

It should be noted to a person skilled in the art that methods,processes and systems described herein can be implemented in software,hardware, firmware, or combination thereof. The implementation may beperformed as well using a computer system having a processor and amemory under control of the processor, the memory storing instructionsadapted to enable the processor to carry out operations as describedabove. The implementation may be realized, in a concrete manner, as acomputer program product that includes a tangible computer readablemedium holding instructions adapted to enable a computer system toperform the operations as described above. It should be noted that thecomputer-readable media could be any media from which a computer canreceive instructions, including but not limited to hard disks, RAMs,ROMs, CDs, magnetic tape, internet downloads, carrier wave with signals,etc. Also instructions can be in any form including source code, objectcode, executable code, and in any language including higher level,assembly and machine languages. The computer system is not limited toany type of computer. It could be implemented in a stand-alone machineor implemented in a distributed fashion, including over the internet

While the present invention has been particularly shown and describedwith reference to exemplary implementations thereof, it will beunderstood by those of ordinary skill in the art that various changes inform and details may be made therein without departing from the spiritand scope of the present invention as defined by the following claims.

1. A method for monitoring activity and detecting unauthorized access todatabase tables, the method comprising: parsing an incoming transactionsubmitted by a client; determining whether the incoming transactionincludes an invocation of a stored procedure; obtaining a query groupdata structure corresponding to the stored procedure; applying an accesscontrol policy on the query group data structure; and asserting anunauthorized event if the query group data structure is not compliantwith the access control policy; wherein the access to database tables isindirectly performed using the stored procedure.
 2. The method of claim1, further comprising: upon asserting the unauthorized event, blockingthe transaction.
 3. The method of claim 2, wherein the detection of anunauthorized access is performed inline and online by a secure gatewayinstalled between the client and a database server.
 4. The method ofclaim 3, wherein the query group data structure includes at least onepair of a table and an operation performed on the table.
 5. The methodof claim 3, wherein the query group data structure includes at least oneprivileged operation executed by the stored procedure.
 6. The method ofclaim 5, further comprising: distinguishing between transactions inwhich a table is directly accessed by the client and transactions inwhich a table is indirectly accessed using the stored procedure toaccess the table.
 7. The method of claim 6, wherein applying the accesscontrol policy on the query group further comprising: applying on thequery group data structure at least one of correlation rules and auditrules associated with the client.
 8. method of claim 7, wherein thestored procedure includes at least one of: a user defined function, adatabase trigger, a database view.
 9. A computer program product formonitoring activity and detecting unauthorized access to databasetables, the computer program product having computer instructions on atangible computer readable medium, the instructions being adapted toenable a computer system to perform operations comprising: parsing anincoming transaction submitted by a client; determining whether theincoming transaction includes an invocation of a stored procedure;obtaining a query group data structure corresponding to the storedprocedure; applying an access control policy on the query group datastructure; and asserting an unauthorized event if the query group datastructure is not compliant with the access control policy; wherein theaccess to database tables is indirectly performed using the storedprocedure.
 10. The computer program product of claim 9, furthercomprising: upon asserting the unauthorized event, blocking thetransaction.
 11. The computer program product of claim 10, wherein thedetection of an unauthorized access is performed inline and online by asecure gateway installed between the client and a database server. 12.The computer program product of claim 11, wherein the query group datastructure includes at least one pair of a table and an operationperformed on the table.
 13. The computer program product of claim 11,wherein the query group data structure includes at least one privilegedoperation executed by the stored procedure.
 14. The computer programproduct of claim 13, further comprising: distinguishing betweentransactions in which a table is directly accessed by the client andtransactions in which a table is indirectly accessed using a storedprocedure to access the table.
 15. The computer program product of claim14, wherein applying the access control policy on the query groupfurther comprising: applying on the query group data structure at leastone of correlation rules and audit rules associated with the client. 16.The computer program product of claim 15, wherein the stored procedureincludes at least one of: a user defined function, a database trigger, adatabase view.